我有多少国家可以在会话变量保存一个web应用程序？ [英] How much state can I save in session variables for a web app?

问题描述

我编码为我要创建一个web应用程序一个REST / RPC API。从我所学到好像背后REST的核心思想之一是不维护任何状态。这就是说，我发现自己做这样的事情对事物的服务器端通过身份验证，这感觉就像保存状态标记的会话。我多远采取这种做法呢？我应该在哪里划清界线呢？还有其他的事情，将是非常方便的保存为会话变量的一部分，但我不知道我怎么知道我不应该或不应该做这个的时候。

I'm coding up a REST/RPC API for a web app that I'm creating. From what I've learned it seems like one of the core ideas behind REST is to not maintain any state. That said I find myself doing things like marking a session as authenticated on the server side of things and this feels like saving state. How far should I take this practice? Where should I draw the line? There are other things that would be really convenient to save as part of the session's variables but I'm wondering how do I know when I shouldn't or shouldn't do this.

我希望这是合适的场地来问这个问题。我辩论是否要张贴在程序员，但这只是觉得比较合适的。

I hope this is the right venue to ask this question. I debated on whether or not to post it in programmers but this just felt more appropriate.

更新：

我被告知使用的是票务系统比使用会话变量来维护之类的认证信息更好。可能有人包含并具有这样的售票系统是如何工作的一个非常高的描述答案？

I'm told that using a ticketing system is better than using session variables to maintain things like auth information. Could someone include and answer that has a very highly description of how such a ticketing system would work?

推荐答案

您是正确的 - REST调用是无状态的理想，并存储在会话变量的东西，并使用了REST调用，是诅咒。你不能，例如，保证一个RESTful客户端甚至可以发送所需的cookie信息的会话变量。

You are correct - REST calls are ideally stateless, and storing something in a session variable, and using that for the REST call, is anathema. You can't, for instance, guarantee that a RESTful client can even send the cookie information necessary for the session variables.

如果你需要验证，那么你应该有一个返回类似一票REST调用，那么剩下的主叫方发送门票作为另一个调用的一部分。

If you need authentication, then you should have REST calls that return something like a ticket, then the REST caller would send that ticket as part of another call.

更新
对于售票系统，你一般要使用相同的身份验证或类似的身份验证系统。举例来说，如果你需要一个用户名和密码，您可能希望票据请求张贴。一张票是后续调用传递一个GUID。服务器上的票可以被存储在会话，或者在一个DB（Ⅰ通常具有订票表，与像到期日期的东西）。

UPDATE For a ticketing system, you generally want to use the same auth or similar auth system. For instance, if you require a user name and password, you might want the ticket request to POST that. A ticket is a GUID that is passed on subsequent calls. The ticket on the server can be stored in session, or in a DB (I typically have a TICKETS table, with things like expiration dates).

$result = file_get_contents('http://site.com?action=auth&user=matt&password=pass');
// parse $result XML for ticket or auth error
// subsequent calls...
$result = file_get_contents('http://site.com?action=getSomething&ticket=" . $ticket);

QuickBase这种方式工作 - 您发送API_Auth行动，用户名，密码和API应用程序令牌，得到的回报票。然后你通过API的应用程序的令牌，并在后续调用票 - 同时支持GET请求和POST发送

QuickBase works this way - you send an API_Auth action with a username, password and api app token, and get a ticket in return. Then you pass your api app token and the ticket on subsequent calls - both GET requests and POST sends.

这篇关于我有多少国家可以在会话变量保存一个web应用程序？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！